JP6885095B2 - Decoding classification method, decoding classification device and decoding classification program - Google Patents

Description

The present invention relates to a decoding classification method, a decoding classification device, and a decoding classification program.

Incidents and accidents related to information leakage due to internal fraud and targeted attacks are increasing. It is expected that it will be more important to take measures against information leakage by encrypting files.

Generally, when security measures are implemented, business efficiency often decreases. The burden on users and convenience for users in security measures are important factors that need to be considered when implementing security measures.

A specific example of file encryption, which is a countermeasure against information leakage described above, will be described. Encrypted files encrypted with file encryption products are often files that can be used by any application. If the file can be used by any application, the encrypted file is also used as it is in the application normally used by the user.

That is, since the user can handle the encrypted file by operating the application that is normally used, it is not necessary to introduce a new application to handle the encrypted file.

The feature of the file encryption product that generates the encrypted file that can be used in any application is that the cost for learning how to operate the encrypted file for the user is low and the convenience is high as described above. is there. That is, the burden on the user when introducing a file encryption product is light.

Many file encryption products intervene in the application's "open file" process to decrypt encrypted files. The file encryption product then passes the decrypted file to the application. That is, the file encryption product mediates the use of the encrypted file by the application in order to realize that the encrypted file is used by any application.

To accommodate any application, file encryption products intervene in the more general "open file" process, rather than in the individual process of each application. For example, a file encryption product intervenes in a general-purpose "open file" process by a Windows (registered trademark) API (Application Programming Interface) with an API hook or the like. The API hook means a process of interrupting when a program calls a specific API.

JP-A-2007-324726

When executing the "open file" process, the application normally opens not only the file that the user expects to open, but also the setting file and the like by internal processing. The application may also open a file that the user has not explicitly instructed to open in parallel with the execution of the "open file" process.

File encryption products are required to decide whether to decrypt each file that the application opens. However, the process by which the application opens each file corresponds to the general-purpose "open file" process.

In the above case, it is difficult for a file encryption product that intervenes in the general-purpose "open file" process to determine the purpose of the intervening process. Therefore, the file encryption product has no choice but to take either an operation of uniformly decrypting the encrypted file to be processed by the file opening process of the application or an operation of not uniformly decrypting the encrypted file.

For example, consider the case where an encrypted file is used in a mailer, which is software that creates, sends, receives, stores, and manages e-mail. It is assumed that the user of the mailer refers to the encrypted file attached to the received mail by the preview function of the mailer. In addition, it is assumed that the user sends the encrypted file attached to the sent mail in the encrypted state.

When an encrypted file is used by the mailer, the user sets the file encryption product to intervene in the "open file" process for the encrypted file by the mailer. With the above settings, the user can refer to the encrypted attachment of the received mail with the preview function of the mailer.

However, even when the user attaches the encrypted file to the outgoing mail, the application (mailer) may open the file by internal processing. When the mailer opens the file by internal processing, if the above settings are made, the attached file may be sent in a decrypted state against the intention of the user.

In the above example, the general-purpose "open file" process is performed by a low-layer API such as CreateFile of Windows API. The process of opening a file for preview in the mailer is done by the CreateFile API in the lower layer. In addition, the process of opening a file to attach a file to an email is also performed by the CreateFile API in the lower layer. That is, it is not possible to determine whether the purpose of the process is preview or email attachment just by referring to the process of CreateFile.

The above operation is not supposed to be taken by a file encryption product provided for the purpose of protecting information from targeted attacks and information leakage not intended by the user.

Patent Document 1 describes a file sharing server device that confirms a packet of a print spool open response message and decrypts an encrypted message. However, in the file sharing server device described in Patent Document 1, it is not assumed that it is determined whether or not to decrypt the message according to the type of the open response message.

[Purpose of Invention]
Therefore, the present invention provides a decryption classification method, a decryption classification device, and a decryption classification program that can prevent decryption of an encrypted file that the user does not intend based on the purpose of processing by the application, which solves the above-mentioned problems. The purpose.

The decryption classification method according to the present invention is a decryption classification method executed in the decryption classification device, and whether the decryption classification device decrypts the processing information which is the information related to the process of opening the encrypted file by the application and the encrypted file. The classification information including the decryption information indicating whether or not to indicate is stored in the storage unit, the processing information of the process of opening the encrypted file by the detected application is acquired, and the classification information stored in the storage unit is acquired. decoding information included in the classification information that includes a processing information, notifies the encrypted file in the detected processed decoding means for decoding based on the instruction indicated by the decoded information, the processing information, by the application It is characterized by including a stack trace related to the process of opening an encrypted file.

The decryption classification device according to the present invention includes a storage unit that stores classification information including processing information that is information related to processing for opening an encrypted file by an application and decryption information indicating an instruction as to whether or not to decrypt the encrypted file. , The acquisition unit that acquires the processing information of the process of opening the encrypted file by the detected application, and the decryption information included in the classification information including the acquired processing information among the classification information stored in the storage unit. The processing information includes a stack trace related to the processing of opening the encrypted file by the application, including a notification unit that notifies the decryption means of decrypting the encrypted file in the detected processing based on the instruction indicated by the decryption information. characterized in that it is.

The decryption classification program according to the present invention stores classification information including processing information which is information about a process of opening an encrypted file by an application and decryption information indicating an instruction as to whether or not to decrypt the encrypted file. included in the acquisition process, and classification information including the obtained processing information among the classified information stored in the storage unit of Ru storing process is stored, according to the detected application to acquire the processing information of the process to open the encrypted file to It is a decryption classification program for executing a notification process for notifying a decryption means that decrypts the decrypted information in the detected process based on the instruction indicated by the decryption information , and the processing information includes the decryption information. It is characterized by including a stack trace of the process of opening an encrypted file by an application.

According to the present invention, it is possible to prevent decryption of an encrypted file that the user does not intend based on the purpose of processing by the application.

It is a block diagram which shows the structural example of the 1st Embodiment of the decoding classification apparatus by this invention. It is a flowchart which shows the operation of the classification process by the decoding classification apparatus 20 of 1st Embodiment. It is a block diagram which shows the structural example of the 2nd Embodiment of the decoding classification apparatus by this invention. It is a block diagram which shows the structural example of the 2nd Embodiment of the application operation classification part 100. It is explanatory drawing which shows the example of the classification rule stored in the classification rule storage unit 200. It is explanatory drawing which shows the example of the confirmation screen which the confirmation screen display unit 105 displays. It is a flowchart which shows the operation of the classification result notification processing by the application operation classification unit 100 of the 2nd Embodiment.

Embodiment 1.
Hereinafter, embodiments of the present invention will be described with reference to the drawings. FIG. 1 is a block diagram showing a configuration example of a first embodiment of the decoding classification device according to the present invention. The decryption classification device 20 according to the present invention stores classification information including processing information which is information related to processing for opening an encrypted file by an application and decryption information indicating an instruction as to whether or not to decrypt the encrypted file. (For example, the classification rule storage unit 200), the acquisition unit 22 (for example, the application information acquisition unit 102) that acquires the processing information of the process of opening the encrypted file by the detected application, and the storage unit 21 are stored. Notification unit 23 (for example, classification result notification unit) that notifies the decryption means of the decryption target of the encrypted file in the detected processing of the decryption information included in the classification information including the acquired processing information among the classification information. 107) and.

Hereinafter, the classification process by the decoding classification device 20 will be described. FIG. 2 is a flowchart showing the operation of the classification process by the decoding classification device 20 of the first embodiment.

The acquisition unit 22 acquires processing information which is information related to the processing of opening the encrypted file by the detected application (step S11).

Next, the notification unit 23 extracts the classification information including the acquired processing information from the classification information stored in the storage unit 21 (step S12).

Next, the notification unit 23 sets the decryption means in which the decryption information indicating whether or not to decrypt the encrypted file included in the extracted classification information is detected is the decryption means to be decrypted. Notify (step S13). After notifying, the decoding classification device 20 ends the classification process.

With such a configuration, the decryption classification device can prevent decryption of the encrypted file that the user does not intend based on the purpose of processing by the application.

Further, the notification unit 23 may notify the decoding means of information indicating an instruction not to decrypt the encrypted file in the detected processing in which the classification information including the acquired processing information is not stored in the storage unit 21.

With such a configuration, the decryption classification device can prevent the decryption of the encrypted file not specified in advance by the user.

Further, the notification unit 23 is an input means for inputting information indicating whether or not to decrypt the encrypted file in the detected processing in which the classification information including the acquired processing information is not stored in the storage unit 21. (For example, a confirmation screen) may be presented to notify the decoding means of the information input via the presented input means.

With such a configuration, the decryption classification device can confirm with the user whether or not to decrypt the encrypted file not specified in advance by the user.

Further, the storage unit 21 may store the classification information in which the information input via the presented input means is included as the decoding information.

With such a configuration, the decryption classification device can register new classification information regarding the encrypted file that has not been previously specified to the user.

Further, the decryption classification device 20 may include a detection unit (for example, a file access detection unit 101) that detects a process of opening an encrypted file by an application.

With such a configuration, the decryption classifier can detect the process of opening the encrypted file by the application.

In addition, the processing information may include a stack trace related to the processing of opening the encrypted file by the application.

With such a configuration, the decryption classification device can set the conditions of the process of opening the encrypted file by the application permitted to decrypt the encrypted file in more detail.

In addition, the processing information includes information about the application in the process of opening the encrypted file by the application (for example, the path where the application is stored) and information about the encrypted file (for example, the extension of the encrypted file). You may.

Embodiment 2.
[Description of configuration]
Next, a second embodiment of the present invention will be described with reference to the drawings. FIG. 3 is a block diagram showing a configuration example of a second embodiment of the decoding classification device according to the present invention.

The decryption classification device of the present embodiment causes an arbitrary application to execute only the decryption process specified by the user, and suppresses the execution of the decryption process not specified by the user, thereby ensuring the safety and convenience of the file. It is a decryption classification device for encrypted files that achieves both.

As shown in FIG. 3, the decoding classification device 10 includes an application operation classification unit 100, a classification rule storage unit 200, an application 300 (hereinafter referred to as AP300), an operating system 400 (hereinafter referred to as OS400), and the like. It is provided with a hard disk drive device 500 (hereinafter referred to as HDD 500).

The application operation classification unit 100 processes an operation of an arbitrary application that handles an encrypted file, an application operation that processes a file in which the encrypted file is decrypted, and an application operation that processes the encrypted file in an encrypted state. It has a function to classify into either.

The application operation classification unit 100 operates in cooperation with a file encryption product (not shown) that intervenes in the "open file" process of any application.

The classification rule storage unit 200 has a function of storing classification rules used by the application operation classification unit 100 when classifying application operations. The classification rule is stored as a file in the classification rule storage unit 200, which is a hard disk, for example. Further, the classification rule storage unit 200 may be a database.

As shown in FIG. 3, the classification rule is composed of an "AP path", an "extension", a "stack trace", and a "decryption operation". The "AP path" is a path in which an arbitrary application is stored. The "extension" is the extension of an encrypted file opened by any application.

The "stack trace" shows the history of functions and methods executed in the process of opening an encrypted file of an arbitrary application. The "decryption operation" indicates an instruction as to whether or not the application corresponding to the content described in the classification rule decrypts the encrypted file in the process of opening the encrypted file.

AP300 is an arbitrary application. In the example shown in FIG. 3, AP300 is assumed to be a mailer called "Mail.exe".

OS400 is an operating system of the decoding classification device 10. OS400 is, for example, Windows. Further, the HDD 500 is a hard disk drive device (Hard Disk Drive) included in the decoding classification device 10.

Hereinafter, the operation of classifying the encrypted file to be decrypted by the decryption classification device 10 of the present embodiment will be described with reference to FIG. As shown in FIG. 3, the application operation classification unit 100 detects access to the encrypted file of the AP 300 (step S1).

Next, the application operation classification unit 100 acquires the path in which the AP300 that accessed the encrypted file is stored and the stack trace related to the access of the AP300 (step S2).

Next, the application operation classification unit 100 acquires a classification rule from the classification rule storage unit 200 (step S3). The application operation classification unit 100 confirms whether or not the acquired classification rule includes the same information as the information acquired in step S2 (step S4).

If the classification rule containing the same information does not exist (“if it does not exist” in step S5), the application operation classification unit 100 determines that the encrypted file is not decrypted. Alternatively, the application operation classification unit 100 confirms with the user whether or not to decrypt the encrypted file.

When a classification rule is newly specified by the user, the application operation classification unit 100 stores the designated classification rule in the classification rule storage unit 200. After deciding whether or not to decrypt the encrypted file, the decryption classification device 10 ends the decryption classification process.

When a classification rule containing the same information exists (“if it exists” in step S5), the application operation classification unit 100 decrypts the encrypted file according to the content indicated by the “decryption operation” included in the target classification rule. Decide whether or not. After deciding whether or not to decrypt the encrypted file, the decryption classification device 10 ends the decryption classification process.

Next, the configuration of the application operation classification unit 100 will be described with reference to the drawings. FIG. 4 is a block diagram showing a configuration example of a second embodiment of the application operation classification unit 100.

As shown in FIG. 4, the application operation classification unit 100 classifies the file access detection unit 101, the application information acquisition unit 102, the classification rule acquisition unit 103, the classification rule confirmation unit 104, and the confirmation screen display unit 105. It includes a rule storage unit 106, a classification result notification unit 107, and a confirmation screen display switching unit 108.

In the application operation classification unit 100 of the present embodiment, the operation of the application that opens the encrypted file is an application operation that is permitted to decrypt the encrypted file, or an application operation that is not permitted to decrypt the encrypted file. Determine if there is one according to the classification rules.

The file access detection unit 101 has a function of detecting that the "open file" process has been performed in cooperation with the file encryption product that intervened in the "open file" process of any application. Upon detection by the file access detection unit 101, the decoding classification device 10 starts the decoding classification process.

The application information acquisition unit 102 has a function of acquiring information used for searching a classification rule. As shown in FIG. 3, the information acquired by the application information acquisition unit 102 is, for example, a path in which the application executing the "open file" process is stored or an extension of the file to be processed.

Further, as shown in FIG. 3, the information acquired by the application information acquisition unit 102 also includes a stack trace related to the processing of the application that opens the encrypted file. After acquiring the information, the application information acquisition unit 102 orders the classification rule acquisition unit 103 to acquire the classification rule.

The application information acquisition unit 102 intervenes in the processing of the application by an API hook or the like, as in the case of the file encryption product, for example. By intervening, the application information acquisition unit 102 acquires the path in which the application is stored, the extension of the file to be processed, and the stack trace regarding the processing of the application that opens the encrypted file.

When the decryption classification device 10 intervenes in the processing of the low-layer CreateFile, the processing of the intervention target is reduced because it can correspond to a general-purpose application. However, the purpose of the operation cannot be determined only by referring to the low-layer processing. Therefore, the application information acquisition unit 102 of the present embodiment uses the stack trace.

Stack traces are also known as call stacks. The Call Stack is a stack that stores information about subroutines during program execution. A stack trace is data in which the information stored in the stack is partially copied.

When the stack trace is used, the decryption classification device 10 can confirm the processing process until CreateFile is called. That is, the decoding classification device 10 can cope with the difference in each operation of the application while maintaining the versatility.

The classification rule acquisition unit 103 has a function of acquiring a classification rule including the information acquired by the application information acquisition unit 102 from the classification rule stored in the classification rule storage unit 200. FIG. 5 is an explanatory diagram showing an example of a classification rule stored in the classification rule storage unit 200.

The form of the classification rule shown in FIG. 5 is the same as the form of the classification rule shown in FIG. That is, as shown in FIG. 5, the classification rule is composed of an "AP path", an "extension", a "stack trace", and a "decoding operation".

When acquiring the classification rule, the classification rule acquisition unit 103 may acquire the classification rule including the information that completely matches the information acquired by the application information acquisition unit 102. Further, the classification rule acquisition unit 103 may acquire a classification rule including information that partially matches the information acquired by the application information acquisition unit 102.

After executing the process of acquiring the classification rule, the classification rule acquisition unit 103 instructs the classification rule confirmation unit 104 to confirm the processing result.

The classification rule confirmation unit 104 confirms the processing result of the classification rule acquisition unit 103. If the classification rule has been acquired as a result of the confirmation, the classification rule confirmation unit 104 determines the decoding operation according to the acquired classification rule. The classification rule confirmation unit 104 instructs the classification result notification unit 107 to notify the determined decoding operation.

As a result of the confirmation When the classification rule has not been acquired, the classification rule confirmation unit 104 confirms whether or not the decoding operation is confirmed to the user. When the user is set to confirm the decoding operation, the classification rule confirmation unit 104 instructs the confirmation screen display unit 105 to display the confirmation screen.

If the user is not set to confirm the decoding operation, the classification rule confirmation unit 104 instructs the classification result notification unit 107 to notify that the decoding operation is not performed.

The confirmation screen display unit 105 has a function of displaying a confirmation screen asking the user to input whether or not the encrypted file needs to be decrypted. FIG. 6 is an explanatory diagram showing an example of a confirmation screen displayed by the confirmation screen display unit 105. The confirmation screen display unit 105 confirms with the user whether or not the encrypted file needs to be decrypted by using the confirmation screen shown in FIG.

As shown in FIG. 6, on the confirmation screen, an application requesting decryption, a file requested to be decrypted, and confirmation of whether or not decoding is necessary are displayed. When permitting the decryption of the encrypted file, the user clicks the "decrypt" button. If the decryption of the encrypted file is not permitted, the user clicks the "Do not decrypt" button.

Based on the information input from the user, the confirmation screen display unit 105 instructs the classification result notification unit 107 to notify the decoding operation indicated by the input information.

When the user chooses to save the content displayed on the confirmation screen as a classification rule, the confirmation screen display unit 105 receives the information input from the user and then stores the content displayed on the confirmation screen in the classification rule storage unit 106. Instruct them to save the new classification rule.

When the user chooses to save the content displayed on the confirmation screen as a classification rule, for example, when a check is entered in the check box of "Do not confirm from the next time" shown in FIG. ..

That is, when the classification rule corresponding to the classification rule storage unit 200 does not exist, the confirmation screen display unit 105 newly generates a classification rule by confirming with the user whether or not the encrypted file needs to be decrypted. When a new classification rule is generated, the confirmation screen display unit 105 does not have to reconfirm with the user whether or not decoding is necessary after the first confirmation regarding the same case. File encryption products and applications operate according to the generated classification rules.

Further, when the classification rule corresponding to the classification rule storage unit 200 does not exist, the confirmation screen display unit 105 does not execute the decryption without confirming to the user whether or not the encrypted file needs to be decrypted. , And may act to notify the application. The user can change the operation taken by the confirmation screen display unit 105 at any time.

The classification rule storage unit 106 stores in the classification rule storage unit 200 a new classification rule generated based on the information acquired by the application information acquisition unit 102 and the information input from the user to the confirmation screen display unit 105. Has the function of After the storage is completed, the classification rule storage unit 106 instructs the classification result notification unit 107 to notify the decoding operation indicated by the stored classification rule.

The classification result notification unit 107 has a function of notifying the file encryption product linked with the decryption classification device 10 of the decryption operation of the encrypted file. The information of the decoding operation to be notified is input to the classification result notification unit 107 from any of the classification rule confirmation unit 104, the confirmation screen display unit 105, or the classification rule storage unit 106.

When the file encryption product is notified of a "do not decrypt" decryption action, the application attempts to open the encrypted file. In the case of a mailer, the file is attached to the outgoing mail in an encrypted state.

The confirmation screen display switching unit 108 has a function of switching the confirmation screen to be displayed when the classification rule does not exist in the classification rule storage unit 200. The user can switch the confirmation screen to be displayed on the confirmation screen display switching unit 108 at an arbitrary timing.

In general, it is considered that the number of files opened by the user is smaller than the number of files opened by the application by internal processing. The reason is that the files that the application opens by internal processing include many files such as configuration files, log files, and dlls (dynamic link libraries).

The confirmation screen display switching unit 108 can instruct the classification rule confirmation unit 104 not to confirm to the user other than the encrypted file that is supposed to be opened by the user. That is, since the confirmation screen displayed when the confirmation screen display switching unit 108 is provided is limited, the convenience for the user is improved.

[Explanation of operation]
Hereinafter, an operation of notifying the classification result of the application operation classification unit 100 of the present embodiment will be described with reference to FIG. 7. FIG. 7 is a flowchart showing the operation of the classification result notification processing by the application operation classification unit 100 of the second embodiment.

First, the file access detection unit 101 detects that the "open file" process has been performed in cooperation with the file encryption product that intervened in the "open file" process of any application (step S101). ..

Next, the application information acquisition unit 102 acquires information about the application that has performed the "open file" process (step S102). The application information acquisition unit 102 acquires, for example, the path in which the application that has performed the "open file" process is stored, the extension of the file to be processed, and the stack trace related to the process of the application that opens the encrypted file.

Next, the classification rule acquisition unit 103 acquires a classification rule including the information acquired in step S102 among the classification rules stored in the classification rule storage unit 200 (step S103). The acquired classification rule may include information that completely matches the information acquired in step S102, or includes information that partially matches the information acquired in step S102. You may.

Next, the classification rule confirmation unit 104 confirms whether or not the classification rule has been acquired in step S103 (step S104). When the classification rule is acquired (Yes in step S104), the classification rule confirmation unit 104 confirms the content of the acquired classification rule (step S105). After confirmation, the application operation classification unit 100 performs the process of step S110.

When the classification rule is not acquired (No in step S104), the classification rule confirmation unit 104 confirms whether or not the target encrypted file is set so that the user can confirm the decryption operation. Inquire and confirm the display switching unit 108 (step S106).

When the target encrypted file is not set so that the user can confirm the decryption operation (No in step S106), the application operation classification unit 100 performs the process of step S110.

When the target encrypted file is set so that the user can confirm the decryption operation (Yes in step S106), the confirmation screen display unit 105 asks the user whether or not the encrypted file needs to be decrypted. A confirmation screen prompting for the input of is displayed (step S107).

The confirmation screen display unit 105 waits for input from the user to the confirmation screen. After the user inputs the necessity of decoding to the confirmation screen, the confirmation screen display unit 105 performs the process of step S108.

Next, the confirmation screen display unit 105 confirms whether or not the user has selected to save the content displayed on the confirmation screen as a classification rule (step S108). When saving as a classification rule is not selected (No in step S108), the application operation classification unit 100 performs the process of step S110.

When saving as a classification rule is selected (Yes in step S108), the classification rule saving unit 106 saves the classification rule generated by the confirmation screen display unit 105 in the classification rule storage unit 200 (step S109). ..

For example, the confirmation screen display unit 105 sets the path where the application executing the "open file" process is stored, the extension of the file to be processed, and the stack trace related to the process of the application that opens the encrypted file. Include in the generated classification rules.

Next, the confirmation screen display unit 105 adds information on the decryption operation indicating an instruction as to whether or not to decrypt the encrypted file to the generated classification rule. The classification rule storage unit 106 stores the generated classification rule in the classification rule storage unit 200.

Next, the classification result notification unit 107 notifies the file encryption product to which the decryption classification device 10 cooperates with the classification result based on the information acquired from the classification rule or the information input from the user (step S110). ..

Specifically, the classification result notification unit 107 notifies the file encryption product of information on the decryption operation indicating an instruction as to whether or not to decrypt the encrypted file to be processed in the "open file" process. After the notification, the application operation classification unit 100 ends the classification result notification process.

[Explanation of effect]
The decoding classification device of this embodiment can correspond to any application. The decryption classification device classifies the "open file" process performed by the application according to the purpose, so that the file encryption product decrypts only the file that is supposed to be opened by the user. That is, since decryption of a file that is not supposed to be opened by the user is prevented, the decryption classification device can achieve both improvement in security level and improvement in convenience.

Encrypted files encrypted with file encryption products are often files that can be used by any application. A feature of a file encryption product that generates an encrypted file that can be used by any application is that the cost for learning how to operate the encrypted file for the user is low and the convenience is high. That is, the burden on the user when introducing a file encryption product is light.

To accommodate any application, file encryption products intervene in more general-purpose "open file" processes, such as the Windows API process, rather than in the individual process of each application. However, it is difficult for a file encryption product that intervenes in a general-purpose "open file" process to determine the purpose of the intervening process.

Since it is difficult to determine the purpose of the file open process, the file encryption product cannot perform a process that decrypts only the file that is supposed to be opened by the user and does not decrypt other files. In order to protect information from targeted attacks and information leakage that the user does not intend, file encryption products are required to decrypt only files that are supposed to be opened by the user.

The decoding classification device of this embodiment can correspond to any application. Further, the decoding classification device of the present embodiment classifies the "open file" process of the application according to the purpose, thereby decoding only the file that is supposed to be opened by the user, and the user is opened. Prevent decryption of unexpected files.

The decryption classification device of this embodiment is considered to be used for DRM (Digital Rights Management), improvement of content security, and improvement of security by file encryption.

The decoding classification device 10 and the decoding classification device 20 of each embodiment are realized by, for example, a CPU (Central Processing Unit) that executes processing according to a program stored in a non-temporary storage medium. That is, the acquisition unit 22, the notification unit 23, the file access detection unit 101, the application information acquisition unit 102, the classification rule acquisition unit 103, the classification rule confirmation unit 104, the confirmation screen display unit 105, the classification rule storage unit 106, and the classification result notification unit 107. The confirmation screen display switching unit 108, AP300, and OS400 are realized by, for example, a CPU that executes processing according to program control.

Further, the storage unit 21 is realized by, for example, RAM (Random Access Memory). Further, the classification rule storage unit 200 may be realized by RAM.

Further, each part in the decoding classification device 10 and each part in the decoding classification device 20 of each embodiment may be realized by a hardware circuit. As an example, the storage unit 21, the acquisition unit 22, the notification unit 23, the file access detection unit 101, the application information acquisition unit 102, the classification rule acquisition unit 103, the classification rule confirmation unit 104, the confirmation screen display unit 105, and the classification rule storage unit 106. , Classification result notification unit 107, confirmation screen display switching unit 108, classification rule storage unit 200, AP300, OS400, and HDD500 are each realized by LSI (Large Scale Integration). Further, they may be realized by one LSI.

10, 20 Decoding classification device 21 Storage unit 22 Acquisition unit 23 Notification unit 100 Application operation classification unit 101 File access detection unit 102 Application information acquisition unit 103 Classification rule acquisition unit 104 Classification rule confirmation unit 105 Confirmation screen display unit 106 Classification rule storage unit 107 Classification result notification unit 108 Confirmation screen display switching unit 200 Classification rule storage unit 300 Application 400 Operating system 500 Hard disk drive

Claims (10)

It is a decoding classification method executed in the decoding classification device.
The decoding classification device
Stored in the storage unit classification information including the decryption information indicating whether to decode whether the instruction processing information and the encrypted file is information relating to the processing of opening the encrypted file by the application,
Acquires the processing information of the process of opening the encrypted file by the detected application,
Decoding information included in the classification information including the acquired processing information among the classified information stored in the storage unit, decodes based on the encrypted file in the detected processing instruction indicated by the decoded information notify the decoding means,
A decryption classification method characterized in that the processing information includes a stack trace related to the processing of opening an encrypted file by an application. Decryption classification device
The decryption classification method according to claim 1, wherein when the classification information including the acquired processing information is not stored in the storage unit, the decoding means is notified of the information indicating the instruction not to decrypt the encrypted file in the processing indicated by the processing information. .. Decryption classification device
When the classification information including the acquired processing information is not stored in the storage unit, an input means for inputting information indicating whether or not to decrypt the encrypted file in the processing indicated by the processing information is presented.
The decoding classification method according to claim 1, wherein the information input via the presented input means is notified to the decoding means. Decryption classification device
Presented decoded classification method of claim 3, wherein the classification information Ru stored in the storage unit the information entered via the input means is included as the decoding information. Decryption classification device
The decryption classification method according to any one of claims 1 to 4, which detects a process of opening an encrypted file by an application. A storage unit that stores classification information including processing information that is information related to processing for opening an encrypted file by an application and decryption information that indicates whether or not to decrypt the encrypted file.
An acquisition unit that acquires processing information for the process of opening an encrypted file by the detected application,
Decoding information included in the classification information including the acquired processing information among the classified information stored in the storage unit, decodes based on the encrypted file in the detected processing instruction indicated by the decoded information It is equipped with a notification unit that notifies the decryption means .
A decryption classification device characterized in that the processing information includes a stack trace related to the processing of opening an encrypted file by an application. The sixth aspect of claim 6 in which the notification unit notifies the decoding means of information indicating an instruction not to decrypt the encrypted file in the processing indicated by the processing information when the classification information including the acquired processing information is not stored in the storage unit. Decryption classification device. The notification part is
When the classification information including the acquired processing information is not stored in the storage unit, an input means for inputting information indicating whether or not to decrypt the encrypted file in the processing indicated by the processing information is presented.
Notify the decoding means of the information input via the presented input means.
The decoding classification device according to claim 6. On the computer
Application storage processing Ru stored in the storage unit classification information including the decryption information indicating whether an instruction to decode the processed information and the encrypted file is information relating to the processing of opening the encrypted file by,
Acquisition process to acquire processing information of processing to open encrypted file by detected application, and
Decoding information included in the classification information including the acquired processing information among the classified information stored in the storage unit, decodes based on the encrypted file in the detected processing instruction indicated by the decoded information A decryption classification program for executing a notification process for notifying the decryption means .
The processing information includes a stack trace of the application's process of opening the encrypted file.
Decryption classification program . On the computer
9. When the classification information including the acquired processing information is not stored in the storage unit, a notification process for notifying the decryption means of information indicating an instruction not to decrypt the encrypted file in the process indicated by the process information is executed. The decryption classification program described.

Images